New Computer Fraud and Abuse Act Bill

Last week (on June 20, 2013), Representatives Zoe Lofgren (D-CA), James Sensenbrenner (R-WI), Mike Doyle (D-PA), Yvette Clarke (D-NY), and Jared Polis (D-CO) introduced a new (bipartisan) version of Rep. Lofgren’s prior bill to modify the Computer Fraud and Abuse Act (“CFAA”). The new bill, “Aaron’s Law Act of 2013,” is named for Aaron Swartz (the computer programmer behind RSS and Internet activist who committed suicide in the midst of being prosecuted for allegedly violating the CFAA).

To do so, the bill would strike “exceeds authorized access” in section 1030(e)(6) (which is the definitional section) and replace it with “access without authorization,” which would be defined to have a three part test. Specifically, it would be defined to mean: “(A) to obtain information on a protected computer; (B) that the accesser lacks authorized to obtain; and (C) by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.”

The bill would then modify the CFAA throughout to replace “unauthorized access, or exceeding authorized access, to a” with “access without authorization of a protected” and to strike “exceeds authorized access.”

Finally, the bill would eliminate section 1030(a)(4) as redundant (one might question whether it is in fact redundant) and modify the penalties section, with the main goal of making the criminal penalties proportionate the harm caused by the crime.